{
	"id": "812c1bfd-fbbf-46ac-9353-e81d3e98d2ea",
	"created_at": "2026-04-06T00:15:45.998209Z",
	"updated_at": "2026-04-10T13:12:23.137402Z",
	"deleted_at": null,
	"sha1_hash": "4795b04cf8c826cf1ee07e9ad83c42722645b1d8",
	"title": "Pass the hash",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105579,
	"plain_text": "Pass the hash\r\nBy Contributors to Wikimedia projects\r\nPublished: 2010-09-11 · Archived: 2026-04-05 16:20:09 UTC\r\nFrom Wikipedia, the free encyclopedia\r\nIn computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote\r\nserver or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the\r\nassociated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to\r\ngain access with stealing the hash.\r\nThe attack exploits an implementation weakness in the authentication protocol, where password hashes remain\r\nstatic from session to session until the password is next changed.\r\nThis technique can be performed against any server or service accepting LM or NTLM authentication, whether it\r\nruns on a machine with Windows, Unix, or any other operating system.\r\nOn systems or services using NTLM authentication, users' passwords are never sent in cleartext over the wire.\r\nInstead, they are provided to the requesting system, like a domain controller, as a hash in a response to a\r\nchallenge–response authentication scheme.[1]\r\nNative Windows applications ask users for the cleartext password, then call APIs like LsaLogonUser[2] that\r\nconvert that password to one or two hash values (the LM or NT hashes) and then send that to the remote server\r\nduring NTLM authentication.[Notes 1][3]\r\nIf an attacker has the hashes of a user's password, they do not need the cleartext password; they can simply use the\r\nhash to authenticate with a server and impersonate that user.\r\n[4][5][6]\r\n In other words, from an attacker's perspective,\r\nhashes are functionally equivalent to the original passwords that they were generated from.\r\nThe pass the hash technique was originally published by Paul Ashton in 1997[6] and consisted of a modified\r\nSamba SMB client that accepted user password hashes instead of cleartext passwords. Later versions of Samba\r\nand other third-party implementations of the SMB and NTLM protocols also included the functionality.\r\nThis implementation of the technique was based on an SMB stack created by a third-party (e.g., Samba and\r\nothers), and for this reason suffered from a series of limitations from a hacker's perspective, including limited or\r\npartial functionality: The SMB protocol has continued to evolve over the years, this means that third parties\r\ncreating their own implementation of the SMB protocol need to implement changes and additions to the protocol\r\nafter they are introduced by newer versions of Windows and SMB (historically by reverse engineering, which is\r\nvery complex and time-consuming). This means that even after performing NTLM authentication successfully\r\nusing the pass the hash technique, tools like Samba's SMB client might not have implemented the functionality\r\nthe attacker might want to use. This meant that it was difficult to attack Windows programs that use DCOM or\r\nRPC.\r\nhttps://en.wikipedia.org/wiki/Pass_the_hash\r\nPage 1 of 4\n\nAlso, because attackers were restricted to using third-party clients when carrying out attacks, it was not possible to\r\nuse built-in Windows applications, like Net.exe or the Active Directory Users and Computers tool amongst others,\r\nbecause they asked the attacker or user to enter the cleartext password to authenticate, and not the corresponding\r\npassword hash value.\r\nIn 2008, Hernan Ochoa published a tool called the \"Pass-the-Hash Toolkit\"[7] that allowed 'pass the hash' to be\r\nperformed natively on Windows. It allowed the user name, domain name, and password hashes cached in memory\r\nby the Local Security Authority to be changed at runtime after a user was authenticated — this made it possible to\r\n'pass the hash' using standard Windows applications, and thereby to undermine fundamental authentication\r\nmechanisms built into the operating system.\r\nThe tool also introduced a new technique which allowed dumping password hashes cached in the memory of the\r\nlsass.exe process (not in persistent storage on disk), which quickly became widely used by penetration testers (and\r\nattackers). This hash harvesting technique is more advanced than previously used techniques (e.g. dumping the\r\nlocal Security Accounts Manager database (SAM) using pwdump and similar tools), mainly because hash values\r\nstored in memory could include credentials of domain users (and domain administrators) that logged into the\r\nmachine. For example, the hashes of authenticated domain users that are not stored persistently in the local SAM\r\ncan also be dumped. This makes it possible for a penetration tester (or attacker) to compromise a whole Windows\r\ndomain after compromising a single machine that was a member of that domain. Furthermore, the attack can be\r\nimplemented instantaneously and without any requirement for expensive computing resources to carry out a brute\r\nforce attack.\r\nThis toolkit has subsequently been superseded by \"Windows Credential Editor\", which extends the original tool's\r\nfunctionality and operating system support.[8][9] Some antivirus vendors classify the toolkit as malware.[10][11]\r\nBefore an attacker can carry out a pass-the-hash attack, they must obtain the password hashes of the target user\r\naccounts. To this end, penetration testers and attackers can harvest password hashes using a number of different\r\nmethods:\r\nCached hashes or credentials of users who have previously logged onto a machine (for example at the\r\nconsole or via RDP) can be read from the SAM by anyone who has Administrator-level privileges. The\r\ndefault behavior of caching hashes or credentials for offline use can be disabled by administrators, so this\r\ntechnique may not always work if a machine has been sufficiently hardened.\r\nDumping the local user's account database (SAM). This database only contains user accounts local to the\r\nparticular machine that was compromised. For example, in a domain environment, the SAM database of a\r\nmachine will not contain domain users, only users local to that machine that more likely will not be very\r\nuseful to authenticate to other services on the domain. However, if the same local administrative account\r\npasswords are used across multiple systems the attacker can remotely access those systems using the local\r\nuser account hashes.\r\nSniffing LM and NTLM challenge–response dialogues between client and servers, and later brute-forcing\r\ncaptured encrypted hashes (since the hashes obtained in this way are encrypted, it is necessary to perform a\r\nbrute-force attack to obtain the actual hashes).\r\nDumping authenticated users' credentials stored by Windows in the memory of the lsass.exe process. The\r\ncredentials dumped in this way may include those of domain users or administrators, such as those logged\r\nhttps://en.wikipedia.org/wiki/Pass_the_hash\r\nPage 2 of 4\n\nin via RDP. This technique may therefore be used to obtain credentials of user accounts that are not local to\r\nthe compromised computer, but rather originate from the security domain that the machine is a member of.\r\nAny system using LM or NTLM authentication in combination with any communication protocol (SMB, FTP,\r\nRPC, HTTP etc.) is at risk from this attack.[1] The exploit is very difficult to defend against, due to possible\r\nexploits in Windows and applications running on Windows that can be used by an attacker to elevate their\r\nprivileges and then carry out the hash harvesting that facilitates the attack. Furthermore, it may only require one\r\nmachine in a Windows domain to not be configured correctly or be missing a security patch for an attacker to find\r\na way in. A wide range of penetration testing tools are furthermore available to automate the process of\r\ndiscovering a weakness on a machine.\r\nThere is no single defense against the technique, thus standard defense in depth practices apply[12] – for example\r\nuse of firewalls, intrusion prevention systems, 802.1x authentication, IPsec, antivirus software, reducing the\r\nnumber of people with elevated privileges,[13] pro-active security patching[14] etc. Preventing Windows from\r\nstoring cached credentials may limit attackers to obtaining hashes from memory, which usually means that the\r\ntarget account must be logged into the machine when the attack is executed.[15] Allowing domain administrators\r\nto log into systems that may be compromised or untrusted will create a scenario where the administrators' hashes\r\nbecome the targets of attackers; limiting domain administrator logons to trusted domain controllers can therefore\r\nlimit the opportunities for an attacker.\r\n[12]\r\n The principle of least privilege suggests that a least user access (LUA)\r\napproach should be taken, in that users should not use accounts with more privileges than necessary to complete\r\nthe task at hand.[12] Configuring systems not to use LM or NTLM can also strengthen security, but newer exploits\r\nare able to forward Kerberos tickets in a similar way.\r\n[16]\r\n Limiting the scope of debug privileges on system may\r\nfrustrate some attacks that inject code or steal hashes from the memory of sensitive processes.[12]\r\nRestricted Admin Mode is a new Windows operating system feature introduced in 2014 via security bulletin\r\n2871997, which is designed to reduce the effectiveness of the attack.[17]\r\nMetasploit Project\r\nMimikatz\r\nReflection attack\r\nSMBRelay\r\n1. ^ Note that Windows may use Kerberos authentication by default.\r\n1. ^ Jump up to: a\r\n \r\nb\r\n Chris Hummel (12 October 2009). \"Why Crack When You Can Pass the Hash?\". SANS\r\nInstitute.\r\n2. ^ \"LsaLogonUser\". Microsoft. 7 September 2011. Retrieved 25 October 2011.\r\n3. ^ \"How Interactive Logon Works\". Microsoft. 22 January 2009. Retrieved 25 October 2011.\r\n4. ^ \"What is a Pass-the-Hash Attack (PtH)?\". BeyondTrust. 2023-08-04. Archived from the original on 2024-\r\n05-15. Retrieved 2024-06-23.\r\n5. ^ Lenaerts-Bergmans, Bart (2024-02-21). \"What is a Pass-the-Hash Attack?\". crowdstrike.com. Archived\r\nfrom the original on 2024-04-07. Retrieved 2024-06-23.\r\nhttps://en.wikipedia.org/wiki/Pass_the_hash\r\nPage 3 of 4\n\n6. ^ Jump up to: a\r\n \r\nb\r\n Daniel Stirnimann (9 August 2010). \"Windows Attack — Gain Enterprise Admin\r\nPrivileges in 5 Minutes\" (PDF). Compass Security AG. Archived from the original (PDF) on August 26,\r\n2014. Retrieved 10 October 2010.\r\n7. ^ Hernan Ochoa (2 July 2008). \"What is Pass-The-Hash Toolkit?\". Retrieved 20 October 2011.\r\n8. ^ Hernan Ochoa (2011). WCE Internals. RootedCON.\r\n9. ^ Hernan Ochoa (2011). \"Windows Credentials Editor (WCE) F.A.Q.\" Amplia Security. Retrieved 25\r\nOctober 2011.\r\n10. ^ \"SecurityRisk.WinCredEd\". Symantec. 21 March 2011. Archived from the original on April 13, 2012.\r\nRetrieved 25 October 2011.\r\n11. ^ \"HackTool:Win32/Wincred.A\". Microsoft. 1 October 2011. Retrieved 25 October 2011.\r\n12. ^ Jump up to: a\r\n \r\nb\r\n \r\nc\r\n \r\nd\r\n Bashar Ewaida (21 January 2010). \"Pass-the-hash attacks: Tools and Mitigation\".\r\nSANS Institute.\r\n13. ^ Roger Grimes (26 July 2011). \"Stop pass-the-hash attacks before they begin\". InfoWorld. Retrieved 25\r\nOctober 2011.\r\n14. ^ Rob Kraus; Brian Barber; Mike Borkin; Naomi Alpern (2010). Seven Deadliest Microsoft Attacks.\r\nSyngress. pp. 12–14. ISBN 978-1-59749-551-6.\r\n15. ^ \"Preventing Pass-the-Hash Attacks and Cached Credential Attacks\". Berkley Lab Computer Protection\r\nProgram. Archived from the original on 4 May 2011. Retrieved 20 October 2011.\r\n16. ^ \"Microsoft Windows Kerberos 'Pass The Ticket' Replay Security Bypass Vulnerability\".\r\nsecurityfocus.com. 13 August 2010. Archived from the original on 12 March 2016. Retrieved 20 October\r\n2010.\r\n17. ^ \"Microsoft Security Advisory 2871997\". 14 October 2022.\r\nMicrosoft Pass the Hash Mitigation Guidance\r\nAmplia Security\r\nSMBShell\r\nPatrick Jungles et al.: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques,\r\nMicrosoft Corp., 2012, retrieved on Feb. 3, 2015\r\nUninformed Break-the-hash paper\r\nReducing the Effectiveness of Pass-the-Hash(NSA)\r\nCWE-836: Use of Password Hash Instead of Password for Authentication\r\nSource: https://en.wikipedia.org/wiki/Pass_the_hash\r\nhttps://en.wikipedia.org/wiki/Pass_the_hash\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://en.wikipedia.org/wiki/Pass_the_hash"
	],
	"report_names": [
		"Pass_the_hash"
	],
	"threat_actors": [],
	"ts_created_at": 1775434545,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4795b04cf8c826cf1ee07e9ad83c42722645b1d8.pdf",
		"text": "https://archive.orkl.eu/4795b04cf8c826cf1ee07e9ad83c42722645b1d8.txt",
		"img": "https://archive.orkl.eu/4795b04cf8c826cf1ee07e9ad83c42722645b1d8.jpg"
	}
}